Audit Log
PKI A public key infrastructure (PKI) is a set of roles, policies, and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption. is more than Keyfactor Command, CAs, and certificates. It also includes the people and polices that interact with these entities. It is therefore critical to track the actions taken within Keyfactor Command that enable management of all entities that make up a PKI, as most attack vectors are only exposed internally. The Keyfactor Command audit logs are an immutable record of all changes made to the state of the application.
The information collected in the audit logs is available for viewing and analysis by several means:
- The data is available for viewing within the Keyfactor Command Management Portal, where a search tool may be used to search for specific logs (see Using the Audit Log Search Feature).
- The data is output to text-based logs on the Keyfactor Command server and stored for 14 days, by default (see Log Monitoring). From here, the logs may be collected by a centralized logging solution for analysis.
- The data is output to the Windows event log on the Keyfactor Command server in the Windows application event log. From here, the logs may be collected by a centralized logging solution for analysis. See Keyfactor Command Windows Event IDs. When analyzing audit logs as written to the Windows event log, it can be helpful to have the translations for the operation codes handy (see Audit Log Reference Codes). Audit log failures (when Keyfactor Command fails to log to the audit log) are also logged to the Windows event log.
- The data may optionally be copied in real time to a separate server for analysis with a centralized logging solution (e.g. rsyslog Rsyslog is an open-source software utility used on UNIX and Unix-like computer systems for forwarding log messages in an IP network., Logstash). For more information, see Audit Log Output to a Centralized Logging Solution.
Any activity that triggers an audit flag generates an audit record. Auditable activities include actions (e.g. creation, change, deletion) on records in Keyfactor Command that have been configured as auditable (e.g. Certificates, Security, Templates, Application Settings). For a complete list of Keyfactor Command activity that is tracked through the audit log, see Audit Log Reference Codes.
The audit log page in the Keyfactor Command Management Portal allows you to view all the audit logs stored in Keyfactor Command and perform searches on them. Audit logs are stored for seven years, by default (see Application Settings: Auditing Tab).
The audit log grid includes these fields:
- Level
The logging level of the message. Most messages are generated at Information level. - Category
The area of Keyfactor Command that generated the audit log (see Audit Log Categories). - Message
The audit log message. The message is made up of the user who took the auditable action, the action the user took, the category the user acted upon, and the name of the object acted upon. - Timestamp
The time and date that the message was generated.
The grid can be sorted by clicking on a column header. All columns except Message may be sorted. Click the column header again to reverse the sort order. The grid columns can be arranged in any order desired by click-holding and dragging the header of the column you wish to move. The column widths may be adjusted by click-holding and dragging the line separating two column headers.
Figure 367: Audit Log